How do I configure my Application Load Balancer TLS/SSL listeners to use ECDSA ciphers?

4 minute read

My Application Load Balancer’s security policy lists RSA and ECDSA ciphers. But when I connect to my load balancer, I see only RSA ciphers selected.

Short description

You can configure an Application Load Balancer HTTPS listener with multiple certificates. However, it requires a security policy. Each security policy contains ciphers for both RSA and ECDSA cryptographic algorithms. During the TLS handshake, the Application Load Balancer uses selection process logic to determine which Application Load Balancer certificate to use for the HTTPS connection. If the chosen certificate is created with RSA or ECDSA (elliptic curve) keys, then the Application Load Balancer uses RSA or ECDSA ciphers for encryption.


To use ECDSA ciphers with your Application Load Balancer, complete the following steps:

Create or import a new ECDSA certificate to ACM and bind it to an HTTPS listener

Create a new ECDSA certificate

First, determine your certificate requirements. Then, request an ECDSA certificate from AWS Certificate Manager (ACM).

Import the ECDSA certificate to ACM

After you work with your certificate authority to get the ECDSA certificate for your domain in .pem format, import your new ECDSA certificate to ACM.

After you create or import your ECDSA certificate to ACM, associate your certificate with your Application Load Balancer.

(Optional) Test your load balancer’s TLS listener for supported ciphers

To test which protocols and ciphers are used, use an open source command line tool, such as sslscan.

Note: Using sslscan lets you get complete information for all ciphers without using an additional third-party utility. For example, if you use curl, then you must specify individual cipher suites. These require separate curl requests that specify TLS protocols and cipher suites.

You can install and run the sslscan command on any Amazon Elastic Compute Cloud (Amazon EC2) Linux instance or from your local system. Make sure that the load balancer that you want to test accepts TLS connections from your source IP address.

To use sslscan on an Amazon Linux EC2 instance, complete the following steps:

1.    Activate the Extra Packages for Enterprise Linux (EPEL) repository.

2.    Install sslscan on your Amazon EC2 Linux instance:

sudo yum install sslscan

3.    To scan your Application Load Balancer for supported ciphers, run the following command. Replace with your domain name:

[ec2-user@ ~]$ sslscan --show-ciphers | grep Accepted

Here's an example output that shows the results of running a vulnerability scan on your Application Load Balancer. In this example, the load balancer uses a P-256 ECDSA certificate and default security policy:

    Accepted  TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA
    Accepted  TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA
    Accepted  TLS11  256 bits  ECDHE-ECDSA-AES256-SHA
    Accepted  TLS11  128 bits  ECDHE-ECDSA-AES128-SHA
    Accepted  TLS12  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
    Accepted  TLS12  256 bits  ECDHE-ECDSA-AES256-SHA384
    Accepted  TLS12  256 bits  ECDHE-ECDSA-AES256-SHA
    Accepted  TLS12  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
    Accepted  TLS12  128 bits  ECDHE-ECDSA-AES128-SHA256
    Accepted  TLS12  128 bits  ECDHE-ECDSA-AES128-SHA

The following example output features a load balancer with an RSA 2048 certificate and default security policy:

    Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLS11  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLS11  256 bits  AES256-SHA
    Accepted  TLS11  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLS11  128 bits  AES128-SHA
    Accepted  TLS12  256 bits  ECDHE-RSA-AES256-GCM-SHA384
    Accepted  TLS12  256 bits  ECDHE-RSA-AES256-SHA384
    Accepted  TLS12  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLS12  256 bits  AES256-GCM-SHA384
    Accepted  TLS12  256 bits  AES256-SHA256
    Accepted  TLS12  256 bits  AES256-SHA
    Accepted  TLS12  128 bits  ECDHE-RSA-AES128-GCM-SHA256
    Accepted  TLS12  128 bits  ECDHE-RSA-AES128-SHA256
    Accepted  TLS12  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLS12  128 bits  AES128-GCM-SHA256
    Accepted  TLS12  128 bits  AES128-SHA256
    Accepted  TLS12  128 bits  AES128-SHA

If you correctly configured your ECDSA certificate on your Application Load Balancer, then your output shows the negotiated ECDHE-ECDSA-* cipher suites. If your output shows other cipher suites, then review and update your Application Load Balancer security policy.

AWS OFFICIALUpdated a year ago